AI recruitment in Germany with GDPR, AI Act and works council compliance
Guides

AI Recruitment in Germany: GDPR, AI Act and Works Council Rules (2026)

Short answer

German employers can use AI recruitment tools, but purely automated hiring decisions significantly affecting applicants are prohibited under GDPR Article 22 unless an exception applies. A human-in-the-loop is required, and from August 2026 the EU AI Act adds further HR AI obligations.

  • GDPR Article 22 blocks purely automated hiring decisions with significant effects, so a real human review step is mandatory.
  • BDSG Section 26 is usually the key legal basis for applicant data, while consent is rarely reliable in employment settings.
  • AI systems used for recruitment fall under AI Act Annex III high-risk rules, which apply from August 2, 2026.
  • Works councils can force negotiation on HR technology under BetrVG Section 87 before a tool goes live.

AI recruitment in Germany is legal only if a human makes the real hiring decision, applicants receive GDPR-compliant transparency, and the employer prepares now for the EU AI Act high-risk rules that start on August 2, 2026. For most HR teams, that means documenting human review, checking the vendor setup, and involving the works council before rollout.

If you need the short answer:

  • Do not let software reject or shortlist candidates on its own.
  • Use BDSG Section 26 and a compliant privacy notice for applicant data.
  • Treat recruitment AI as a 2026 governance project now, not in August.
  • Involve the Betriebsrat early if the tool can monitor behavior or performance.

Yes, with limits. German employers can use AI for CV screening, candidate ranking, interview support, and workflow automation, but they cannot hand over the final hiring outcome to an automated system. The main restriction comes from GDPR Article 22, which prohibits decisions that are purely automated and have legal or similarly significant effects unless a narrow exception applies.

In practice, this means:

  • You may use AI to rank CVs, flag missing qualifications, or structure applications.
  • You may not reject, invite, or materially disadvantage a candidate solely because a model produced that outcome.
  • A recruiter or hiring manager must make a genuine decision, not just approve whatever the tool suggests.

For a broader compliance baseline, see our EU AI Act checklist for German companies and our AI recruitment screening compliance guide.

GDPR Article 22 and Automated Hiring Decisions

GDPR Article 22 establishes a general prohibition on purely automated individual decision-making that produces legal or similarly significant effects. For recruitment, “significant effects” clearly covers rejection, shortlisting, and invitation to interview.

Three exceptions exist under Article 22(2):

  1. The decision is necessary for entering into a contract with the data subject.
  2. The decision is authorized by EU or Member State law.
  3. The data subject has given explicit consent.

In German recruitment practice, employers often analyze whether exception (1) can help justify limited automation in the path toward a contract. Even then, Article 22(3) requires safeguards: the applicant must be able to obtain human review, express a point of view, and contest the decision.

What counts as “purely automated”? The EDPB guidance is clear: a human must make a genuine decision. If the human simply approves whatever the algorithm outputs without independent assessment, this is likely still “purely automated” in substance.

That is why answer-first recruiter workflows matter. A compliant process usually includes a documented review step, escalation criteria for edge cases, and a clear record of who overrode or accepted the AI output.

BDSG Section 26 — Applicant Data Protection in Germany

Germany’s Federal Data Protection Act (BDSG) Section 26 provides the specific legal basis for processing applicant data. It permits processing where necessary for decisions about establishing an employment relationship.

Key points for HR teams:

  • Consent is rarely the right basis for applicant data. The power imbalance between employer and applicant makes freely given consent under GDPR hard to establish. Rely on BDSG Section 26 instead.
  • Sensitive data (health, disability, ethnicity) requires a higher standard of justification — typically explicit consent or necessity to exercise employment law rights.
  • Deletion obligations: Applicant data must be deleted within a reasonable period after a recruitment process concludes. German practice generally treats 4 to 6 months as reasonable; longer retention requires justification.
  • Data minimisation: Only collect data relevant to the role. AI tools that infer personality traits, cultural fit scores, or psychometric profiles from CV text or video interviews carry elevated risk.

If your vendor ingests large volumes of candidate data or uses U.S.-hosted infrastructure, pair this with a GDPR AI vendor assessment checklist before procurement or renewal.

What Employers Should Do Before August 2, 2026

The EU AI Act entered into force in August 2024, but the high-risk obligations for most recruitment AI systems apply from August 2, 2026. Recruitment and HR systems are listed in Annex III where they are used to:

  • AI used to screen or filter job applications.
  • AI used to assess candidates in tests during or preparatory to the recruitment process.
  • AI used to make or influence decisions on promotion, termination, or task assignment.

For employers in Germany, the immediate takeaway is practical: 2026 is the implementation deadline, but 2025 and early 2026 are the vendor and governance window. From August 2, 2026, organizations using high-risk AI in recruitment should be ready to:

  • Ensure the system has been registered in the EU database for high-risk AI systems (obligation on providers).
  • Conduct a conformity assessment or verify the provider’s CE marking.
  • Maintain logs of system use and carry out monitoring.
  • Implement human oversight measures.
  • Provide transparency to affected individuals.

If you are selecting a vendor now, ask for the AI Act roadmap immediately. A provider that cannot explain documentation, logging, human oversight, and post-market monitoring by May 2026 is creating avoidable risk for your HR team.

For a broader overview, see our AI Act in HR and recruitment industry guide and our EU AI Act August 2026 deadline checklist.

Which AI Recruitment Tools Are Usually Lowest Risk?

There is no official whitelist. The key questions to ask when evaluating any AI recruitment tool:

1. Does the vendor have a Data Processing Agreement (DPA)? Mandatory under GDPR Article 28 if the vendor processes personal data on your behalf. Review the DPA carefully — particularly sub-processors, data residency, and breach notification timelines.

2. Where is data processed? Processing applicant data outside the EU/EEA requires additional transfer mechanisms (Standard Contractual Clauses, adequacy decision). U.S. vendors must be covered by the EU-U.S. Data Privacy Framework or SCCs.

3. Does the tool support human-in-the-loop review? Any tool that claims to make autonomous hiring decisions without human review creates GDPR Article 22 liability. The tool should produce outputs that inform human decisions, not replace them.

4. Does the vendor provide AI Act compliance documentation? From August 2026, you need to be able to demonstrate that the AI system you are using meets EU AI Act high-risk requirements. Ask vendors for their technical documentation and conformity assessment records.

Common tool categories in practice:

  • ATS with AI ranking: Usually the lowest-risk option if the system supports HR staff and does not autonomously decide.
  • Standalone CV screening AI: Higher risk because the scoring logic can become the real gatekeeper unless review is documented.
  • Video interview AI: Highest scrutiny in Germany, especially where emotion, voice, or biometric inferences are involved.

Works Council (Betriebsrat) and AI Recruitment

German companies with 5 or more employees may have a Betriebsrat (works council). Under Betriebsverfassungsgesetz (BetrVG) Section 87(1)(6), the works council has mandatory co-determination rights over the introduction and use of technical systems that are capable of monitoring employee behavior or performance.

While applicants are not employees, German labor courts and the literature have generally treated applicant tracking systems as falling within the scope of BetrVG Section 87 where employees in the HR department interact with the system or where the system processes data relevant to hiring decisions that affect the workforce composition.

In practice:

  • Inform the works council before introducing any AI recruitment tool.
  • Negotiate a Betriebsvereinbarung (works agreement) governing the tool’s use: what data is collected, how long it is retained, who can access outputs, and what human review steps apply.
  • The works council cannot veto the business decision to hire, but it can make the tool legally unusable if you fail to reach agreement.
  • Failure to comply with co-determination rights can lead to injunctions against using the system.

For many employers, this is the hidden reason deployment slows down. The legal blocker is often not whether AI is allowed in principle, but whether the rollout package is mature enough for HR, privacy, and employee representation at the same time.

Practical Compliance Checklist for AI Recruitment in Germany

Use this checklist before deploying any AI recruitment tool:

  1. DPIA: Conduct a Data Protection Impact Assessment under GDPR Article 35. Required for systematic, large-scale automated profiling of applicants.
  2. Legal basis review: Confirm BDSG Section 26 covers the processing. Document your legal basis assessment.
  3. DPA with vendor: Execute a GDPR Article 28 Data Processing Agreement.
  4. Transfer mechanisms: If data leaves the EU/EEA, ensure adequate transfer safeguards.
  5. Update applicant privacy notice: Include information on automated processing, the logic involved, and applicants’ rights under Article 22(3).
  6. Human review process: Design and document the human review step. Train HR staff on what meaningful review requires.
  7. Works council engagement: Inform the Betriebsrat and negotiate a Betriebsvereinbarung before go-live.
  8. Deletion schedule: Implement automatic deletion of applicant data after the recruitment process concludes (typically 4–6 months).
  9. AI Act readiness: For tools likely classified as high-risk under AI Act Annex III, request vendor compliance documentation now and plan for August 2026.

FAQ: AI Recruitment in Germany

Can we automatically reject applicants with AI in Germany?

Usually no. If the rejection has a significant effect on the applicant and no meaningful human review takes place, the process is likely prohibited by GDPR Article 22.

What is the biggest 2026 AI Act risk for HR teams?

The biggest risk is assuming the vendor will solve everything. By August 2, 2026, employers still need documented oversight, procurement diligence, and a defensible internal workflow for how the system is used.

Do we need works council approval before using AI hiring software?

In many German businesses, yes. If the system can monitor behavior or performance, or materially shapes hiring workflows, co-determination under BetrVG Section 87 should be analyzed before launch.

Next Steps for Employers

If your company uses AI to screen CVs, rank applicants, or support hiring decisions in Germany, now is the time to review your workflow, vendor contracts, and works council process. Our AI recruitment screening guide, AI Act HR overview, and August 2026 deadline checklist are a good starting point. For role-specific risk assessments, speak with our team.


This guide provides general legal information for HR teams and business operators. It does not constitute legal advice. Specific situations — particularly works council negotiations or DPIA scoping — require individual legal counsel.

You might also like

Employment law in Germany for employers reviewing contracts and workplace rules
Guides

Employment Law in Germany: Contracts, Termination, and Works Councils

Employment law in Germany explained for employers: contracts, working time, leave, dismissal protection, works councils, and data rules for business operations.

Commercial contracts in Germany for B2B companies
Guides

Commercial Contracts in Germany: Key Clauses, Risks, and Review Triggers

Commercial contracts in Germany need more than a template. Businesses should review liability, termination, data protection, and mandatory German contract rules before signing.

Intellectual property law in Germany for businesses
Guides

Intellectual Property Law in Germany: What Businesses Should Protect

Intellectual property law in Germany covers trademarks, copyright, patents, designs, trade secrets, ownership, licensing, and enforcement for businesses.

Corporate law in Germany for companies and founders
Guides

Corporate Law in Germany: What Companies Need to Know

Corporate law in Germany governs company formation, shareholder rights, governance, financing, and restructurings. A practical guide for founders and businesses.

Intellectual property lawyer in Germany for tech companies
Guides

Intellectual Property Lawyer in Germany: IP for Tech Companies

An intellectual property lawyer in Germany helps businesses protect software, brands, know-how, and licensing rights through contracts, ownership rules, and IP risk management.

AI tools for law firms in Germany — BRAO compliance and GDPR guide
Guides

AI for Law Firms in Germany: Tools, Compliance, and BRAO

A practical guide for German law firms and lawyers on using AI tools legally — BRAO, GDPR, confidentiality rules, and which AI tools work in practice.

Frequently asked questions

Yes. German employers may use AI to rank or screen CVs, but the tool cannot be the sole basis for rejecting, shortlisting, or otherwise significantly affecting a candidate. A human decision-maker must independently review the result under GDPR Article 22.

Yes. If an AI recruitment tool makes, or effectively determines, a decision that significantly affects a job applicant, GDPR Article 22 is engaged. Purely automated decision-making without meaningful human review is prohibited unless an Article 22(2) exception applies.

From August 2, 2026, most AI systems used to recruit, screen, or evaluate candidates must comply with the EU AI Act high-risk framework. Employers using those tools should expect tighter vendor due diligence, logging, human oversight, and documentation requirements.

Almost certainly yes. The German data protection authorities (DSK) have indicated that systematic, large-scale automated processing of applicant data, especially with profiling, requires a Data Protection Impact Assessment (DPIA) under GDPR Article 35.

Applicants must be informed in the privacy notice that their data is processed using automated systems, what logic is involved, the significance of the processing, and their right to request human review under GDPR Articles 13 and 22(3).

The works council cannot veto a business decision to hire, but it has co-determination rights over the introduction of technical systems that monitor employee or applicant behavior under BetrVG Section 87(1)(6). Failure to involve the works council can render the tool legally unusable.

Ready to get started?

Book Free Call